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Introduction: 


Due to the increase of the malwares that spread many ways like USB or phishing mail 
attacks against the enterprise environments or even targeting the individuals, you 
will hope to test every file you suspect on SandBox to analyze the file before running 
it on areal environment to make sure that this file is not malicious or harmful. 
During this Guide, you will learn a little of the static and dynamic malware analysis 
tools and techniques used to find the malicious artifacts. 


Sandbox Definition: 


In cybersecurity, the sandbox technology is an isolated test environment that looks 
like end-user operating environments, to safely execute the suspicious files and know 
its behavior. It is better if you deal with Zero-day malware. 
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Installation Requirements: 


to build your Sandbox it should have the basic installation requirements whether 
hardware Requirements or software Requirements. 


Hardware Requirements: 
- 2.4 GHz CPU minimum or higher 
- 6GBRAM or higher 
- 100 GB free hard drive space or higher 
Software Requirements: 
- VMware or Virtual Box 
- The Host Operating system (Linux, MacOS, WIN 10, Win 8, etc..) 
- The Guest Operating system (WIN 10, Win 8, etc..) 


Tools Required for Analysis 


Static analysis tools: 


- YARA: YARA is a tool aimed at (but not limited to) helping malware 
researchers to identify and classify malware samples, we will use YARA 
to identify the malware family (ransomware, Trojan, etc...) by look for 
certain characteristics. 

Download the tool from here(https://virustotal.github.io/yara/) 
You can find some of YARA Rules repository here 
(https://github.com/Yara-Rules/rules) 


- EXEinfo: great GUI tool to analyze the PE header information, we will 
use it to verify if we are dealing with the packer or not, and if so how to 
unpack it. 

Download the tool from here (https://exeinfo- 
pe.en.uptodown.com/windows) 
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- Compute hash: a suggested tool to calculate the file hash (feel free to 
use any other tool). 
Download the tool from here 
(http://www.subisoft.net/ComputeHash.aspx ) 


- PEstudio: very useful tool has been made specifically for static malware 
Analysis. To looking for the malicious malware strings, functions, etc. 
We will explore it in more details later. 


Download the tool from here (https://www.winitor.com/features) 


Dynamic analysis tools: 


e FakeNet: tool that aids in the dynamic analysis of malicious software. 
The tool simulates a network so that malware interacting with a 
remote host continues to run allowing the analyst to observe the 
malware’s network activity from within a safe environment. 
Download the tool from here 
(https://www.fireeye.com/services/freeware/fakenet-ng.html) 


- RegShot: Registry and file system integrity monitor tool. 
Download the tool from here 
(https://sourceforge.net/projects/regshot/) 


- ProcMon: record the real-time system activity like process create, 
register edited or added, touch files, network connection, etc. with a 
great filtering capability. 

Download the tool from here 
(https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) 


- ProcDot: visualize the ProcMon output. 
Download the tool from here 
(https://cert.at/en/downloads/software/software-procdot) 


- Autoruns: very useful free tool from Microsoft that check the code 
signing certificate on the persistence locations like the Registry paths, 
scheduled tasks. 


Download the tool from here (https://docs.microsoft.com/en- 
us/sysinternals/downloads/autoruns) 


Mostafa Yahia 


E-Mail: Mostafayahia753@gmail.com 
LinkedIn: https://www.linkedin.com/in/mostafa-yahia-701b4b15a/ 


Guest Preparation: 


WARNING: you will be dealing with a very dangerous malware samples, so please be 
careful and follow below instructions. 


Guest Preparation Steps: 


- Create new windows Virtual machine on either VMware or Virtual Box. 

- Download all of the above tools. 

- Setup a host-only network and Isolate the Guest by preventing the Drag 
& Drop and Copy & Paste from, or to the machine. This step to isolate 
the VM from the internet or network access. (you don’t want to infect 
your host during analyzing a malware) 

- Apply all of the below Tips to evade the Sandbox Detection 

- Now take a snapshot. (Clean Snapshot to revert it after finish malware 
analyzing) 


Tips to evade the Sandbox Detection. 


Before malware running on the victim machine it may check for the presence 
of a virtual machine environment (sandbox) or search for any Malware 
analysis tools exist on the VM like (Wireshark, PEstudio, etc..), if it detected 
any presence of a VM or tools it will change the real intended Actions or 
maybe delete itself to evade the detection and analysis of tools and activities. 


What | should do to evade the SandBox Detection? 


- Keep the VM Hard Disk large as you can (higher than 100 GB). 

- Increase the RAM memory of the VM (4 GB or higher). 

- Don’t Install VM Guest tools, if it is required to install it, make sure to 
uninstall it before executing the malware. 

- Install the common End-user tools (Adobe, Excel, Firefox, etc.), put 
many random Files on the Desktop and the hard Disk partitions like 
Pictures, Videos or even small games and don’t install any of the VM 
guest tools. 

- Open many files and Applications before executing the malware to 
increase VM Recent Activity. 
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- Use Two or more vCPU cores ona VM. 

- Change all the Malware analysis name to games or Music, for example, 
change “PEstudio” tool name to “hello”. 

- Use normal logging username like (Mostafa Yahia, will smith, etc..), the 
same for the machine name. 


Put them All together: 


now you should have downloaded the required tools and Prepared your guest to 
analyze your first malware, we will analyze the malware during Two phases: 
Static analysis phase and Dynamic Analysis Phase. 


Static analysis phase: 


During this phase we intend to identify the malware type by using YARA tool 
and analyze the malware without executing it, such phase requires little 
experience on the malware analysis field but we will easily try to extract some 
useful info during this phase by using easy tools like: (EXEinfo, PEstudio). 


1- compute hash: Run the compute hash tool to collect the file hashes then 
search for such hashes on the threat intelligence platforms such as Virustotal, 
X-Force or even google, if the malware has seen before you will find a lot of 
useful info on the communities. 


2- YARA: Run YARA rules against the file to identify the malware family, use this 
command Syntax to test the rules against the target file [yara [OPTIONS -C 
RULES ALE TARGEI_ALE, to understand YARA command line syntax follow the 


below URL. (https://yara.readthedocs.io/en/stable/commandline.html) 


3- EXEinfo PE: we will use this tool to tell us if we are dealing with packed file or 
not, if so the last two labels include all the info that needed like what is the 
packer that Attacker has used and how to unpack it. 




















| Ge: llexeinfope.exe _ _____}| #u| Cig] 
Entry Point : [962ED4A0 loo| < EPSection: [upx1 & aall 
\ File Offset: [001218A0 _| FirstBytes: [60.5€.00.co.<|}  @ Plug 
| nker info: 225 | SubSystem : [Windows GUI_| pe & 
a File Size: [00141000h | < 4 Ovetay ty INO 90000000 | & 
a es 8 
; Image is 32bit executable RES/OVL 0% 1992 & 
|UPX 0.89 - 3.xx -> Markus & Laszlo ver. [ 3.91] <- from file. I> oe Rip 
Lamer Info - Help Hint - Unpack info - : : oy 
lunpack "upx.exe -d” from http://upx.sf.net or any UPX/Generic unpai| >> 
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4- PEstudio: if you are intended to use just one tool during the static analysis 
phase this tool will be the PEstudio, it’s really an amazing tool that made 
specifically for static malware analysis, the tool has integrated with MITRE 
ATT&CK and VirusTotal. 

As we said before this phase requires a little experience in the malware 
analysis field, so we will focus on some features that easy to use. 





pestudio-pro 9.04 - Malware Initial Assessment - www.winitor.com [e:\md5,53345d1d0d11eafd64f8212d27c7c18c] 7 = O x 


=)-{§=] e:\md5,53345d1d0d11eafd64f8212d27c7c18¢ | Execution (1/17) Defense Evasion (4/63) Discovery (3/20) Lateral Movement (0/12) 
if indicators (11/36) 


Query Registry 


i fender hl 
aninina hindi Obfuscated Files or Information 


{ES dos-stub (184 bytes) 
file-header (Oct.2015) 
optional-header (file-checksum) 
=J directories (6) 
sections (entry-point) Process Injection 
libraries (2/11) 
~_] imports (56/185) 
|=? exports (encore) 
~9 tls-callbacks (1) 
i resources (language) 
abc strings (40/1532) 


PF 
= | System Time Discovery 
{1.0} 


Modify Registry 


Virtualization/Sandbox Evasion 
sha256: 2567487D6F07B8E2B7330AE6A 14DF46B6C 1647F18A18CF322DEF978847241825 file-type: dynamic-link-library subsystem: GUI entry-point: 0x00049544 








- indicators: this tab includes all suspicious Indicators like bad reputation 
on virustotal, the perform function that blacklisted on the PEstudio, 
and more. 


- VirusTotal: PEstudio will send an MD5 hash of the file to Virustotal and 
retrieve the results. 


- File header: contain the file made date and the malware author 
computer language. 


- Imports: PEstudio has a list of blacklisted functions and libraries which 
are often used by malware. 


- Strings: PEstudio will list all the suspicious strings those found on the 
analyzed file. 


- Version: show you the original file name, the company name, the 
language of the author, and file type. 
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Dynamic analysis Phase: 


During this phase we will run all the Dynamic analysis tools that we will 
explore later with admin privilege to give the running tools vision on the 
entire system then execute the malware and watch the malware behavior e.g. 
network communication, registry editing, downloading additional payload, 
etc..., at the first, we will run all the tools together then we will execute the 
Malware. 


1- FakeNet: as you remember we have denied the VM from the network and 
the internet communications, but as you know the malwares are usually 
tending to communicate with their C&C server for more payload or for 
more instructions, so the FakeNet will introduce all of the internet services 
HTTP, DNS, SMTP, etc... then log all activities in a log file and PCAP File for 
all captured network traffic. 


| C:\Users\dvsci\Desktop\fakenet1.3\fakenet1.3\fakenet.exe 


6s Failed ca ne 
~] WARNING: No DNS 
Se e net 
ace VMware Network Adapter VMnet1 
VMware Network Adapter VMnets 





2- RegShot: file system and registry monitor tool, the tool job is simple just 
take first shot from entire the system and after running the malware we 
will take the second shot then compare them to show what are the files or 
registries were modified, added or deleted after running the malware. 


@Y Regshot 2.0.1.66 unicode 
File 1stshot 2ndshot Report Help 


Connect to remote registry 





Folder for store report: 
™4SYSTEMDRIVE%\Hive 





Report name: 
Report 





Add comment into the report: 
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3- ProcMon: also known as process monitor tool which monitors the process 
behavior like registry edit, create a child process, file creation or deletion, 
etc...., also ProcMon has a great filter capability. 





@F Process Monitor - Sysinternals: www.sysinternals.com 


File Edit Event Filter 


Tools Options Help 








\aelW|2h#R|FS AS MS| RR ASM 


Time o... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 
10:01:51... 








Process Name 

WW lsass.exe 

@® lsass.exe 

WW sw2_service exe 
“ sw2_service.exe 
WW sw2_service exe 
WN sw2_service.exe 
WW sw2_service.exe 
“MN sw2_service.exe 
“MH sw2_service.exe 
“WW sw2_service.exe 
W sw2_service.exe 
“W sw2_service.exe 
“MH sw2_service.exe 
WW sw2_service.exe 
WW sw2_service.exe 
WW sw2_service exe 
“I sw2_service.exe 
“MP sw2_service exe 
“M sw2_service.exe 
WW sw2_service exe 
WW sw2_service.exe 
WW sw2_service.exe 
“MH sw2_service.exe 
WW sw2_service.exe 
WW sw2_service.exe 
“MP sw2_service.exe 
WW sw2_service.exe 
“M® sw2_service.exe 


PID Operation 

832 BR CreateFile 

832 EA CloseFile 
3732 @& RegQueryKey 
3732 @£ RegOpenKkey 
3732 @£ RegQueryValue 
3732 @£ RegQueryValue 
3732 @£ RegQueryValue 
3732 @£ RegQueryValue 
3732 @£ RegQueryValue 
3732 @t RegQueryKey 
3732 ft RegOpenkey 
3732 @f RegSetinfokey 
3732 @& RegQueryValue 
3732 @£ RegQueryValue 
3732 GE RegQueryValue 
3732 @& RegQueryValue 
3732 @£ RegCloseKey 
3732 @& RegQueryKey 
afae @£ RegOpenkey 
3732 @f RegQueryKey 
3732 ff RegOpenKkey 
3732 @t RegCloseKey 
3732 @ RegCloseKey 
3732 @£ RegQueryKey 
3732 @f& RegOpenKey 
afa2 ft RegOpenkey 
3732 @£ RegQueryValue 


Path 


C:\Windows\System32\Microsoft\Protect.. 
C:\Windows\System32\Microsoft\Protect.. 


HKLM 


HKLM\SOFTWARE\Microsoft\Cryptogra... 
HKLM\SOF TWARE\Microsoft\Cryptogra... 
HKLM\SOFTWARE\Microsoft\Cryptogra... 
HKLM\SOF TWARE\Microsoft\Cryptogra... 
HKLM\SOF TWARE\Microsoft\Cryptogra... 
HKLM\SOF TWARE\Microsoft\Cryptogra... 


HKLM 
HKLM\Software\Microsoft\Cryptography 


HKLM\SOF TWARE\Microsoft\Cryptogra... 
HKLM\SOFTWARE\Microsoft\Cryptogra... 
HKLM\SOFTWARE\Microsoft\Cryptogra... 
HKLM\SOFTWARE\Microsoft\Cryptogra... 
HKLM\SOFTWARE\Microsoft\Cryptogra... 
HKLM\SOF TWARE\Microsoft\Cryptogra... 


HKLM 


HKLM\Software\Microsoft\Cryptography\... 


HKLM 


HKLM\Software\Microsoft\Cryptography\... 
HKLM\SOF TWARE\Microsoft\Cryptogra... 


HKLM\SOF TWARE\SecureW2\License 
HKLM 


HKLM\SYSTEM\CurrentControlSet\Servi... 


HKLM\System\CurrentControlSet\Servic... 
HKLM\System\CurrentControlSet\Servic... 


Result 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 
SUCCESS 


SUCCESS 
SUCCESS 


SUCCESS 
SUCCESS 


REPARSE 


SUCCESS 


Detail 


Desired Access: G... 


Query: HandleTag... 
Desired Access: R... 
Type: REG_DW0O... 

Type: REG_SZ. Le... 
Type: REG_SZ. Le... 
Type: REG_SZ., Le... 
Type: REG_SZ. Le... 
Query: HandleTag... 
Desired Access: R... 
KeySetinformation... 

Type: REG_SZ., Le... 
Type: REG_SZ., Le... 
Type: REG_SZ, Le... 
Type: REG_SZ. Le... 


Query: HandleTag... 
NAME NOT FOUND Desired Access: R... 
Query: HandleTag... 
NAME NOT FOUND Desired Access: R... 


Query: HandleTag... 
Desired Access: R... 
Desired Access: R... 


NAME NOT FOUND Length: 144 


SUCCESS 





Showing 460,776 of 956,665 events (48%) 


3732 @% RegCloseKey 


HKLM\System\CurrentControlSet\Servic... 


Backed by virtual memory 


4- ProcDot: we will use this tool to Visualize the ProcMon Data in smart 
charts which give more visibility on the process behavior and activity 
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delete file _ 
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create process 


create file 
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P 
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5- Autoruns: the tool that Knows every auto-starting locations of any startup monitor, 
shows you what programs are configured to run during system bootup or login and check 
the Application singed certificates then alerts you for any suspicious or unverified 
certificates. 





GS) Autoruns - Sysinternals: www.sysinternals.com _— ic x< 


File Entry Options Help 


HE AxX BSB reel © '&4 











SI Codecs "| Boot Execute f=] Image Hijacks |S) Apptinit [) KnownDLLs a Winlogon 
&, Winsock Providers <S ~Print Monitors Ly LSA Providers - Network Providers Bs WMI mM Office 
© Everything a, Logon “2 Explorer ea Internet Explorer (4A Scheduled Tasks Bs Services » Drivers 
Autorun Entry Description Publisher Image Path “~ 
Ef HKLM\.SYS TEM \CurrentControl Set \Control\.Safe Boot *\Altemate Shell 
GES cmd.exe Windows Command Processor Microsoft Corporation c:\windows‘\system32\cmd.exe 
ay HKLM\SOFTWARE\Microsoft\ Windows \Current Version Run 
S| Gap C-Media Mixer Mixer C-Media Hlectronic Inc. fwww.cmedia... c: windows ‘\mixer.exe 
&® StartCCc Catalyst@ Control Center Launcher Advanced Micro Devices, Inc. c:\program files \amd‘ati.ace\core- 
S| SunJavaUpdateSched Java Update Scheduler Sire |-a@eseler-iilee = Vi 
aig HKCU\SOFTWARE \Microsoft \Windows\Current Version \Run —— ee 
M © cinspc 7 check updates ... Clean Space CyRobo S.R.0. Copy Ctrl+C cle 
M] @ |DMan Intemet Download Manager (IDM) Tonec Inc. ad 
Sy C:\ProgramData\Microsoft\Windows\Start Menu\\Programs\\Startup peg Eo Era y 
& Wireless Configuration U... WianCU MFC Application Jurnp to Image... Ay 
ag HKLM\SOFTWARE\Microsoft\Active Setup \installed Components : 
feo Google Chrome Google Chrome Installer Google Inc. Verify Image NZ} 
1 (3) Microsoft Windows Windows Mail Microsoft Corporation Check VirusTotal in ¥ 
ss Process Explorer... 
7 jusched.exe Size: S74K 
Zs» Search Online... Ctri+M 
r_£ Java Update Scheduler Time: 3/29/2018 2:27 AM 3 
Orade Corporation Version: 2.8.171.11 Find... Ctri+F 
"C:\Program Files\Common Files \Java\Java Update \Yusched.exe”™ Properties... Alt+ Enter 
Ready. | Windows Entries Hidden. 
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Demo Lab: 


WARNING: you will run a real malware so please be careful with the previous Guide 
instructions to avoid getting infected. 


We will analyze a malware called Kenora.exe 


File Identification phase (YARA) 


Run the YARA using the CMD command line which located at 
(D:\YARA\yara64.exe) using the pre-created YARA rules repo those we are 
previously downloaded which located at (d:\YARA\rules-YARA) against the 
suspected file “Kenora.exe” which located at (d:\Malware\Kenora.exe). 
The Final Command is: d\YARA\yara64.exe -w c\YARA\rules-YARA\index yar 
ct\Malware\Kenora.exe 

By executing the above command line we will have the below result: 





After reviewing the result, on the left, you will find the matched signature name and 


on the right is the file name, now you have known the malware type and the 
matched strings. 
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The malware is a keylogger and the malware was packed by using Delphi packer and 
more other..., also you must notice many matched strings, for example, the malware 


will use a Dynamic DNS Domain, anti-Debug and more others...Now you may have 
expected the results that you will get during the static and dynamic malware 


analysis. 


Static analysis Phase: 


e EXEinfo PE: 


Drag and Drop the malicious file to know if you are dealing with Packed 


file or not, and if so, what is the packer type and how to unpack it. 


MMM Exeinfo PE - ver.0.0.5.1 by AS.L- 1020+68 sign 2018.04.31 


i 
Entry Point : /go094BR30 « EPSection: [cope  _sisf 


File Offset: [o0099F80 
Linker Info : 


File Size : OO03E5200h < 
1 Image is 32bit executable 





The Result is the file is packed and the packer’s name is Borland Delphi. 
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e PE Studio: 


Open the tool then Drag and Drop the file or (file >> open file). 


Now you observe a quick info about the file like: file hashes, Magic 
Bytes/Num, file Size, File Type and signature. 


file 





< 


sha256:; FFIOCE2C25A225FBB21BC48822BBEC6498BDCAC9B44B2D58 1 D8D34A37997C25F 


settings about 


dos-header (64 bytes) 
GE dos-stub (192 bytes) 
file-header Jun. 1992) 
optional-header (GUI) 
i directories (5) 
sections (shared) 


imports (22/161) 


Ta resources (executable) 
abe strings (271/41659) 


ve: 
ey 
{1.6} version (1,0,0,0) 
Cal 


LJ 





property 

md5 

shal 

sha256 
md5-without-overlay 
shal-without-overlay 
sha256-without- overlay 
first-bytes-hex 
first-bytes-text 
file-size 
size-without-overlay 
entropy 

imphash 

signature 
entry-point 
file-version 
description 

file-type 

cpu 

subsystem 
compiler-stamp 
debugger-stamp 
resources-stamp 
exports-stamp 
version-stamp 
certificate-stamp 


5cC ) 





4D 5A 50 00 02 00 00 00 04 00 OF 00 FF FF 00 00 B& 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 


4084224 (bytes) 


7.153 


55 8B EC 83 C4 FO B8 78 A7 49 00 E8 98 C1 F6 FF Al CC DB 49 00 8B 00 E8 EO FA FB FF Al CC DB 49 00 


1.0.0.4 


Synaptics Pointing Device Driver 


executable 
32-bit 
GUI 


0x2A425E 19 (Sat Jun 20 00:22:17 1992 - UTC) 


cpu: 32-bit 


file-type: executable 


subsystem: GUI 


entry-point: 0xO009AB80 


signature: BobSoft Mini Delphi -> BoB / Bot 


PE studio has detected a Use of a Delphi Packer as shown on the 
Signature field (BobSoft Mini Delphi ->BoB / BobSoft). 


PEstudio tabs NAVIGATION: 


Indicators tab: 


chusers\securemisn downloads \ kenora Din\ keno 


_ CEE) 
> 
dos-heeder (54 bytes) 
Ge dos-stub (192 bytes 
file-header Kian, 1992 





optional-header (GUI) 
directories 





erports (22/161 


5 (executable) 
1741659 





indicator (92) 


The file enport 





The file references « URL 


The file 





mces « URL 


The file 





memes « URL 


The file references « URL 
The file references o URL 
The file references « URL 
The fite references =» URL 
The fle references a URL 
The file references « URL 
The fille references a URL 
The file references « URL 
The file references » URL 
The file references « URL 
The file references a URL 
The file references « URL 
The file references a URL 
The file references « URL 
The file references 2 URL 
The fle references « URL 
The file references s URL 
The file references « URL 
The file references » URL 
The file references « URL 
The file references » URL 


The file references « URL 





The file references « URL 


The file references » URL 


ae 





The file references » URI 


y 


The file references 2 URL 
The file references » URL 
The file references a URL 


eRe 


The file references « URL 





The fie comtains another file 
The file contains another file 


The fle comains another file 


The file references stringis) tagged as blacktst 


The file references libraryties) tagged as blacklist 
mbol(s} tagged as blacklist 
The file references » URL pattern 


1434 The fae references a URL pattern 
1434 The file references « URL pattern 
434 The file references e URL pattern 


pattern 
The fle references 5 URL pattern 
pattern 


The file references 2 URL pattern 





The file references s URL pattern 
pattern 
pattern 
pattern 
pottern 
pattern 
pattern 
pattern 
pattern 
pattern 
pattern 
pattern 
pattern 
pattern 


pattern 


pottern 








pottern 


pattern 
pattern 
pattern 
pattern 
pattern 
pottern 
pattern 
pattern 
pattern 
pattern 
The fle references a URL pattern 
The file references en unknown rescurce 


The file references an unknown resource 


Geta 


count: 272 


type: executable, location: resources, offset: xDOOBSE14 


type: executable, location: resources, offset: (eOO3E1A18 


type: PKZIP, location resources, offset OxD03ESOBS 


count: 3 


court 2 





urt 


urt 


urt 


ur 
urt 


ur 


urk 


urt 





urk 


url 
urt 
urt 
urt 
urt 
urt 
urt 
urt 
urt 


uh? 


urt f 


urt 


urk 16 


urt 


urk 


urt 
urt 
urt 
url 
urt 
urt 
urt 
urt 
url 


urt 


urt 


urt 





https: 
hitps 
https: 
bitters 
https: 
https 
https: 
https. 
https 
https 
https 
https 
https 
https 





0.0.1 
freee sfraid.org/ apy action= getdyndrsAisha=aI0t aSef O026B4eEd Ic Sct TUT bccb1 3562078 
J treedns.atrand.org/ apy Taction= getdyndnsiichae a30faS8ef C09 208 





BA CSc PS? bccO1 35623978 


doce.google.corny we Tid=OGxyAX GEPIZESVIV SOGIEWGauZVkEiexport=download 


docs.google. cowry uc Tid 08s MiXG 
www. dropbhox.corn/s/nlwapSgrSireOeg/SUpdate.ini?di= 1 


www dropbhox.comy s/n) wapSgctyroOsg/SUpdate. ini? di« 1 


wed siteS0.net/syn/SUpdate.ini 


wred site50, net/syn/SUpdateini 





google.com, 





oogle. com uc 


www. dropbex.com/s/zhp 1bO6imehwy 





www Gropbow.com/s/z 


xted <iteS0.net/syn/Synaptics.rat 
wed. siteS0. net/syn/Synaptics.rer 


OSxsMXGIPIZISTMIVYkahSDgs 





docs.google.corm/ uc 


docs.google.comy/ uc hid = 0GxstAXG 












MIZISVIVsOGIEVGmul) 


adAKGIPLISV Uy aH YVkQreP ke kesport= 
UyohF VY VrOneF kRtexports do 





MZESTmIVV kxhSDgS 






k&export= downloed 








yMaptics.rartdi= 1 


hp 1 bOGimehwytq/Syneptics.rertdi=t 


esport= downoad 
OQkexport= downoad 


www. dropbox.corn/s/f2j 7S2whesontsm/SSLLibrary .diltdi= 1 


www, drophox.cor s/f 7S2wheiontsm, 





wed. siteS0.net/syn/SS Library cu 


sred_siteS0.net/syn/SSi Library.dil 





pastebin. corn raw 
pattebin.cern/ raw 


pastebin. comy rave 





/pastebin.corn raw 
pastebin. com raw/ Jos2ZLiu 

pastebin.corn/raw/Js2ZLEu 

pastebin. com/raw/ AisGWiXNe 
Pastebin.com/ taw/AKGWXNa 
pastebin. com raw/UDUF7hnt 
Pastebin.comy/ ravwe/UDUF Tint 
pastebin, corn/rav/nQega2bt 
pastebin.comy/ raw/nQegg2bt 
pattebin.corn/raw/LuwagaX 


pastebin. corn’ rave/LuwagaX 


resource rcdeta:DESCRIPTION 


resource rcdataiEXEVSNX 


SSL Library .dil?dl= 1 


There are many malicious Communication maybe the malware tries to 
Download extra payload, Communicate with C&C server or Exfiltrate Data. 
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Libraries tab: 


file 


about 


e 


settings 








&) . c:\users\securemisr\downloads\kenora.bin\keno | |ibrary (12) blacklist (3) type (1) imports (161) description 
es kernel32.dll implicit 48 Windows NT BASE API Client DLL 
ya ies Nocatee We hai’ user32.dll implicit = Multi-User Windows USER API Client DLL 
Bithrabaeyshues advapi32.dll implicit 3 Advanced Windows 32 Base API 
2 dos-stub (192 bytes) —— 
file-header (Jun.1992) oleaut32.dll implicit 3 OLEAUT32.DLL 
= : version.dll implicit 3 Version Checking and File Installation Libraries 
optional-header (GUI) 
ui directories (5) gdi32.dll implicit 64 GDI Client DLL 
se aed (shared) ole32.dll implicit 1 Microsoft OLE for Windows 
A Se comctl32.dll implicit 22 Common Controls Library 
Lae] imports (22/161) shell32.dll implicit 2 Windows Shell Common DIl 
baaf wininet.dll x implicit 5 Internet Extensions for Win32 
=O wsock32.dll x implicit 5 Windows Socket 32-Bit DLL 
ofa resources (executable) netapi32.dll x implicit 1 Net Win32 API DLL 


-wabe strings (271/41659) 
olf 

] a 

--{a.0) version (1.0.0.0) 
Ol 

a 


The malware calls twelve windows libraries, but the interesting is calling three 
blacklisted Libraries which usually is used to communicate through the 


Internet. 


Imports tab: 


tile settings about 


? 























* c\users\securemisr\downloads\kenora.bin\kenc | name (161) group (12) mitre-technique (7) —_—smitre-tactic (5) type (1) anonymous (0) blacklist (22) —anti-debug (0) undocumented (0) deprecated (8) library (12) 
a GetFileVersioninfoSizeA syste-information implicit x version.dil 
i dos-header (64 bytes) system-information —_ x version.dil 
BEB dos-stub (192 bytes), - : storage — x kemel32.dll 

file-header (Jun. 1992) Inte: ConnectedState network implicit x wananet.dil 
optional-header (GUI) InternetReadFile network implicit x wininet.dil 

3 directories (5) network implicit x wananet.dil 
sections (shared) network implicit x winmet.dll 

=* libraries (3/12) network implicit x winanet.dil 
aM imports 51 network implicit x wsock32.dll 
iS network implicit x wsock32.dll 
network implicit x wsock32.dll 
a resources (executable) network implicit x x wsock32.dll 
abe strings (272/41659) network implicit x wsock32.dil 
st Net! network implicit x x netapi32.dil 

=| keyboard-and-mouse implicit x user32.dill 
34] version (1.0.0.0) file implicit x kemel32.dll 
file implicit x kemel32.dil 
-_ execution implicit x kemel32.dll 
execution Execution through AP! Execution implicit x shell32.dll 
implicit x kemel32.di 
dynamic-library implicit x kemel32.dll 
implicit x kemel32.dll 
system-information System Time Discov... Discovery implicit kemel32.dl 
system-information implicit kemel32.dll 

systern-information implicit version.dil 
synchronization implicit kemel32.dll 





The malware calls many Blacklisted Functions like gethostname, 
gethostbyname to get info about the victim machine. As an example. 


For details about function usage, google is your friend. 
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Strings tab: 











ascii 


ascii 


ascii 





asc 





0x000991 18 


The Most interesting Tab, strings tell you about every malicious and suspicious 
strings found on the malware, As you can see on the above screenshot, it seems that 
malware intends to use the Gmail SMTP Server to exfiltrate the Data and the 
Attacker mails are : xredline*@gmail.com , Also you could notice that the attacker 
intends to use the RUN registry key 
(SOFTWARE\Microsoft\Windows\CurrentVersion\Run) for persistence, and many 
others you will find on this wonderful tap. 
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Dynamic Analysis Phase: 


firstly, run as an administrator all of the Dynamic Analysis tools as arranged 


below. 

1- Run FakeNet as an administrator. 

2- Run RegShot as an administrator and take the first shot. 
3- Run procMion as an administrator. 

4- Execute the malware as an administrator. 


5- After 5 minutes, Take the second shot by using RegShot. 
Analysis steps: 


1- The FakeNet will view on the black screen all malware network 
activities like C&C Communication, DNS queries, Data Exfiltration. Also, 
will create a log file and PCAP file that you can analyze by using the 
Wireshark. When analyzing the PCAP file, you will be able to collect a 
lot of malware Network IOCs as shown in the below screenshots. 


™ DNS Queries to malicious hostname. 





Frame 95: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) 
Raw packet data 
Internet Protocol Version 4, Src: 192.168.68.129, Dst: 192.168.68.129 
User Datagram Protocol, Src Port: 55843, Dst Port: 53 
Domain Name System (query) 
Transaction ID: @xdda7 
Flags: @x@1@@ Standard query 
Questions: 1 
Answer RRs: @ 
Authority RRs: @ 
Additional RRs: @ 
Queries 
Y xred.mooo.com: type A, class IN 
Name: xred.mooo.com 
[Name Length: 13] 
[Label Count: 3] 
Type: A (Host Address) (1) 
Class: IN (@x@@@1) 
[Response In: 96] 


< 


< 


™ Discover and exfiltrate the System info. 


Prame U@2: 1687 bytes of wire (856 bits), 187 bytes captured (856 bits) 
Raw packet data 
Internet Pretecol Wersion 4+, Sree isf2 168.68 12092, Off +f iff .@.2.1i234 
Transmission Control Protocol, Sree Port: 495676, Ost Ports 1199, Seq 1d, mcekr 4, Lent oy 
— Data (67 bytes) 
Raetar S365 63 75 726560690 73727 c4445 5 34 bS544 fF Se2dars 356445 2... 
[T[lengeteh: er] 


45 860 82 |Gb 31 cS 46 Ger Be ©2656 61 22 cc sSB@ 44 81 Ee ke - Ga = o 
a 
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Note: the above Screenshots is just a sample, you could go more to find more 


2- On the RegShot click compare, after showing the comparing file you 
will find a lot of deleted, added, modified values and keys. We are 
mainly interested in the added keys and Values. 


HKLM\ SOFTWARE \Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord: 52 43 43 E@ @1 88 86 68 86 G8 B88 BG 12 AA AD 75 O5 88 BC OB 82 OB 87 88 BB 8G OB B88 OO BB OC OB BC BB BB OG OB BG 7B 78 G8 88 GC OB 8B 7D 68 G1 E4 FG 1F 81 
HKLM\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\AppCompatf lags \AmiHivePermissionsCorrect: @x@0000001 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatF lags \AmiHiveQwnerCorrect: @x00000001 

HKLM\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\AppCompatF lags \AmiOverridePath: “C:\Windows \AppCompat\Programs \Amcache.hve. tap” 

HKLM\SYSTEM\ControlSet@01 \Control\Class\{3A1380F4-7@8F -490E -B2EF -@4D25E8@89D5}\Class: "“PROCMON24” 

HKLM\SYSTEM\ControlSet@01\Control\Class\{3A1380F4-7@8F -49DE -B2EF-84D25EBO89D5}\NoDisplayClass: “17 

HKLM\SYSTEM\ControlSet@81\Control\Class\{3A1380F4-7@8F -49DE-B2EF -@4D25EB@09D5}\NoUseClass: “1" 

RKLM\SYSTEM\ControlSet@el] \Services\PROCMON24\SupportedFeatures: @xe80e0003 

HKLM\SYSTEM\ControlSet@@1\Services \PROCMON24\Instances\DefaultInstance: “Process Monitor 24 Instance” 

HKLM\SYSTEM\ControlSet@81\ Services \PROCMON24\Instances\Process Monitor 24 Instance\Altitude: "385200" 

HKLM\SYSTEM\ControlSet@01 \Services \PROCMON24\Instances\Process Monitor 24 Instance\Flags: @x@eeeneee 

HKLM\SYSTEM\CurrentControlSet\Control\Class\{3A1380F 4-708F -49DE -B2EF-84D25EB9@905}\Class: “PROCMON24” 

HKLM\SYSTEM\CurrentControlSet\Control \Class\{3A1380F4-708F -49DE -B2EF -84025EBG@905}\NoDisplayClass: "1" 

HKLM\SYSTEM\CurrentControlSet \Control \Class\{3A1380F4-788F -49DE -B2EF-84025EB80905}\NoUseClass: “1~ 

HKLM\SYSTEM\CurrentControlSet\Services\PROCMON24\SupportedFeatures: @x80000003 

HKLM\SYSTEM\CurrentControlSet \Services\PROCMON24\ Instances \DefaultInstance: “Process Monitor 24 Instance” 

HKLM\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance\Altitude: ~385208" 

HKLM\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance\Flags: @x8@@@0000 

HKU, .DEFAULT\Software\Classes\Local Settings \MuiCache\7\52C64B7€ \@C : \Windows \System32\hhctrl.ocx,-452: “Compiled HTML Help file” 

HKU\S -1-5-21-4828334563-4058229886 -2699854172-10800\SOFTWARE \Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\276355e4_@\: “{2}.\\?\hdaudio#func_818ven_1Sad&dev_197S&subsys_15ad197Sarev_1001#{6994ad04-93ef-11d8-a 
HKU\S-1-5-21-4028334563-4058229886 - 2699854172 -1000\ SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\UserAssist\{CEBFFSCD-ACE2-4F4F -9178-9926F41749EA} \Count\P: \Hfref\Frpherzvfe\Qrfxgbc\Znyjner Nanylfvf gbbyf\CebprffZbavgbe\Cebpzbabé. ri 
HKU\S -1-5-21-4928334563-4058229886 - 2699854172 -1000\SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\UserAssist\{CEBFFSCD-ACE2-4F4F -9178-9926F41749EA}\Count \P: \Hfref\Frpherzvfe\Qrfxgbe\Xraben.rkr: 80 68 8@ 06 82 68 68 G6 6B OG OB 80) 


HKU\S-1-5-21-4828334563 -4058229886 - 2699854172 -1000\ SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewlanagement \W32 : B8GGCOBBBGOSA43A\VirtualDesktop: 18 88 8 68 30 38 44 56 88 OB BB BC 68 BG OB 8A OB 8B & 
HKU\S-1-5-21-4028334563-4858229886 - 26998541 72-1800\ SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewlanagement \W32: B0@@@BBBOGC8A4EE\VirtualDesktop: 10 0@ G8 BG 30 30 44 56 BG OB OB OC BB BE OB BO OB BO A 
HKU\S -1-5-21-4028334563-4058229886 - 2699854172 -1000\SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewlanagement \W32; B80G@BBOB8GARH7A\VirtualDesktop: 10 00 68 88 30 38 44 56 86 68 68 GO 60 BG 08 88 GO OB OH 
HKU\S -1-5-21-4828334563-4858229886 - 2699854172 -1000\ SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewlanagement \W32: B8G@@BB0B8GGEB3EA\VirtualDesktop: 10 88 08 88 30 36 44 S6 88 O8 BB G2 OB OC OB BB OO 08 
HKU\S-1-5-21-4928334563 -4858229886 - 2699854172 -1880\ SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewlanagement \W32: B8GG@OBBBGOFO4EE\VirtualDesktop: 16 6@ @8 66 30 38 44 56 BG G8 86 GG OB BG BB BE CO 6B G 
HKU\S -1-5-21-4028334563 -4058229886 -2699854172-1800\ SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewlanagement \W32:00000000001103A2\VirtualDesktop: 18 8 68 80 3@ 38 44 56 80 08 80 00 68 OG OB BG 08 8B & 
HKU\S -1-5-21-4028334563-4058229886 -2699854172-1000\ SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewtanagement \W32 : B8G0@000800120S88\VirtualDesktop: 18 8@ @8 88 30 38 44 56 88 G8 88 G2 BB 80 OB 88 CO OB & 
HKU\S -1-5-21-4828334563 -4058229886 - 2699854172 -1000\ SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewlanagement \W32 : 0000000000130316\VirtualDesktop: 16 0@ 08 00 30 38 44 56 08 G8 86 00 6B BG OB BE OO BB 
HKU\S -1-5-21-4028334563-4858229886 - 2699854172 -1000\SOF TWARE\Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewlanagement \W32: B8GGCB0B881CO4D8\VirtualDesktop: 16 68 @8 68 30 38 44 56 88 OB 88 OG BB BG OB 88 G8 BB & 
HKU\S -1-5-21-4828334563 -4058229886 - 2699854172 -1000\ SOFTWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewlanagement \W32: @8@@0008002104D8\VirtualDesktop: 18 0@ @8 08 30 38 44 56 88 G8 08 BG OB BG OB BO OO OB 
HKU\S-1-5-21-4028334563-4058229886 - 2699854172 -1000\SOF TWARE \Microsoft \Windows \CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement \W32 : 80000000002703B2\VirtualDesktop: 10 6@ 08 68 3@ 38 44 56 95 52 28 DB FO E@ EB 43 9A OF 3 


HKU\S -1-5-21-4028334563-4858229886 - 2699854172 -100@\ SOFTWARE \Microsoft \Windows \CurrentVers ion \Search \RecentApps \{704702DA-555€ -4830-B5D@-F 3CF24764D8E}\LastAccessedTime: 9@ 89 26 F2 4A 2D 06 01 

HKU\S -1-5-21-4028334563-4058229886 - 2699854172 -10800\SOFTWARE \Microsoft \Windows \CurrentVersion \Search\RecentApps \{784762DA-555( -4830-BSD@-F3CF24764D8E}\AppId: “C:\Users\Securemisr\Desktop\Malware Analysis tools\ProcessMonitor\Procmon64.e: 
HKU\S -1-5-21-4028334563-4058229886 -2699854172-10800\ SOFTWARE \Microsoft \Windows \CurrentVersion\Search\RecentApps \ {704782DA-555( -4830-B5D@-F3CF24764D8E}\LaunchCount: @x@e0e0eel 

HKU\S~1-5-21-4028334563 -4058229886 - 2699854172 -180@\ SOFTWARE \Microsoft \Windows \CurrentVersion\Search \RecentApps \{896A982F -D2BE -44EA-A832-005093667296}\LastAccessedTime; AG 68 CD @9 4B 2D D6 61 

HKU\S -1-5-21-4828334563-4058229886 - 2699854172 -1000\ SOFTWARE \Microsoft \Windows \CurrentVersion\Search \RecentApps \{896A982F -D2BE -44EA-AB32-DD5D93667296}\AppId: “C:\Users\Securemisr\Desktop\Kenora. exe” 

HKU\S -1-5-21-4028334563-4058229886 -2699854172-1000\ SOFTWARE \Microsoft \Windows \CurrentVersion\Search\RecentApps \ {896A982F -D2BE-44EA-A832-DD5D93667296}\LaunchCount: @xe@eeeeee2 

HKU\S -1-5-21-4828334563 -4858229886 - 2699854172 -1000\ SOFTWARE \Microsoft \Windows \Windows Error Reporting\LastRateLimitedDumpGenerationTime: 14 68 67 67 48 2D D6 81 


After checking the Values added you can see that the malware has 
created on the RUN key, and the file name is Synaptics.exe which 
located in c:\ProgramData\Synaptics\Synaptics.exe 


3- Now deploy filters on the ProcMon tool to obtain an effective result, 


click on this button *% then filter for the malware process name 
“Kenora.exe’, then choose the suspicious operations like process 
created, RegcreateKey, RegSetValue, etc... 


8) Process Monitor Filter * 





Display entries matching these conditions: 
Operation ~¢|/begins with ~ || UDP v/then Indude ~ 


Reset Add Remove 


Column 


1 &@ Process N... 
] @ Operation 
1 Operation 


1 &% Operation 
M1 Operation 
@ Oneration 


@ Operation 
ly nn 





OK Cancel Apply 
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Based on the above filter we have observed the below malicious 
Activities like Discover the system by using the command line, create 
new process, etc... 

Apply more filters, get more results. 


2 Process Monitor - Sysinternals: www.sysinternals.com = a x 
File Eda Event Filter Tools Options Help 


SH A°BE FAG 0 AS R498 


Tine . Process Name PID Operation Path Rest Detad 











HIKLM SOFTWARE Microsoft \ Windows \Cusrert Version \ Explorer SyncRoctManager S s Desred Access: Not#y, Dspostion: REG_OPENED_EXISTING_KEY 
HECU' Softeare Microsoft \ Windows \C.srert Version \intemet Settings \Zone Map \ Desred Access: Read/Wite. Depostion: REG OPENED EXISTING_KEY 
HACUNSOFTWARE \Micsosoft \ Windows \O.srent Version \intemet Settings \Zone Map ‘Proxy Byoses Type: REG_OWORD., Length: 4. Data: 1 





HRICU\SOFTWARE \Microsoft Windows \Crrert Version internat Settings Zone Map \etranet Name SUCCESS Type. REG_DWORD. Length: 4, Data: 1 
S315. * Kenoraene HRCU\SOFTWARE Microsoft \ Windows \Currert Version \intermet Settings \Zone Map \UNCAsietranet SUCCESS Type: REG_DWORD, Length 4, Data: 1 
9215. *Kenoraexe 7104 HECU\SOFTWARE Microsoft Windows \Currert Version \intemet Settings \ZoneMap \AutoDetect SUCCESS Type: REG_DWORD, Length: 4, 

HKCU\SOFTWARE Microsoft \ Windows \Curent Version \intemet Settings '\Zone Map \ProxySypess SUCCESS Type: REG_OWORD, Length 


4 
HECU\SOFTWARE \Micensoft \ Windows \CLerent Version \intemet Settings '\Zone Map \irtranet Name Type: REG_DWORD. Length: 4, 
Type: REG_DWORD. Length: 4. 
T 4 








HECU\SOFTWARE \Micsosoft'\ Windows \CLrrant Version \intamet Settings \Zone Map \UNCAalrtranet 
HECUNSOFTWARE Microsoft \ Windows \Carent Version inter et ‘Zone Map \Auto Detect 


HCL" Softreare \Microsoft \ Windows \Ourert Version \Expiorer Desred Access: Read/Wrte. Depostion: REG OPENED EXISTING_KEY 
HECU\SOFTWARE Microsoft Windows \Current Version \ Explorer’ SiowContext Menu Entries Type: REG_BINARY. Length: 100, Data: 44 F8 27 1D 1F 3A 10.44 85 AC 14.65 10 7841 2D 















HKCU Software'\ Microsoft \ Windows Curent Version \ Explorer SUCCESS Desired Access: Read/Write. Diepostion: REG_OPENED_EXISTING_KEY 
$315 * Kenora ene HACU\SOFTWARE Microsoft \ Windows Current Version \ Explorer’ Stow Content Menu Entries SUCCESS Type: REG_BINARY. Length: 100, Data: 44 F827 1D 1F 3A 10 44 BS AC 1465 10 78 41 2D 
$315 * Kenora.exe 3164 HMCR\WOWB432Node \CLSID\ 13427c8-5Se 10-42 10-2003-20e4528 70668) instance SUCCESS Desired Access: Not#y, Disposition: REG_OPENED EXISTING _KEY 
$315 "Kenora exe 3104 HACR\WOWS6432Node\CLSID\ H3427c8-5c 10-4200 2003-2ee4528 70668) instance SUCCESS Deswed Access: Notty, Dispostion: REG_OPENED_EXISTING_KEY 
9315. ‘Kenora exe HKCU Softee Microsoft \ Windows \Qurent Version \ Explorer SUCCESS Desired Access: Read/Wite. Dispostion: REG_OPENED_EXISTING_KEY 
9315. "Kenoraexe HECU\SOFTWARE \ Microsoft \ Windows \CLrrert Version \ Explorer’ SiowContent Nenu Erines SUCCESS Type: REG_BINARY, Length): 100. Data: 4 34 AA SO BA IC 33 42 88 BB 5357 73 D4 84 49 
9315." Kenora.exe HAICL\Softeare \Microsoft \ Windows Current Version \ Explorer SUCCESS Desired Access. Read/Write. Diepostion: REG_OPENED_EXISTING_KEY 
S305" Kenoraene HECU\SOPTWARE Microsoft \ Windows \Currert Version Explorer’ SlowContent MenuEnines SUCCESS Type: REG_BINARY, Length: 100, Data: 4 34 AA $0 BA 1C 33 42 BB BB 53 $7 73 Da 84 49 
$320 * Kenora.exe 31048 HKCU Software \Microsoft Windows Curent Version \Explorer SUCCESS Desred Access: Read/Write. Diepostion: REG_OPENED_EXISTING_KEY 
$3220 * Kenora.exe 7104 HECU\SOFTWARE \ Microsoft’ Windows \Current Version \ Explorer SowComent MenuErtnes SUCCESS Type: REG_BINARY, Length: 100, Data: 4 34 AA SO BA 1C 33 42 BB BB 5357 73 D4 84 49 
HKCU Software \ Microsoft \ Windows ‘Current Versan\ Explorer SUCCESS Desired Access: Read/Write. Dispostion: REG_OPENED_EXISTING_KEY 


HECU'SOFTWARE \eiicropoft Windows \C.rrent Version \ Explorer’ SiowContext NenuErines SUCCESS Type. REG_BINARY, Length: 100, Owta: 4€ 34 AA 90 BA 1C 33.42 BS BB 53 57 73 D4 84 49 
HEC Softens \Microsoft \Windows \Curert Version \ Explorer 
HECU\SOFTWARE Microsoft \ Windows \Currert Version \ Explorer’ Slow Content MenuErines 


Desired Access. Read/Write. Dieposttion. REG_OPENED_EXISTING_KEY 
Type: REG_BINARY. 100, Duta: 4€ 34 AA 30 BA 1C 33 42 BB BB 53 57 73 Dd B4 49 




















Parert PID: 1068, Command ine: "C:\Users \Securemer\ Desktop \Kenors.exe” , Cusrert drectory: C;\Users \Securemesr\ Desktop \, Environment: ALLUSERSPROFILE<C:\ProgramDataAPPDATA=C \Users\! 


HIKLIM\ SOFTWARE \Micmnsoft\ Windows \C.rrent Version \ Explorer’ SyncRootManager Desired Access: Not#y. Disposition: REG_OPENED_EXISTING_KEY 


HEICR\WOW6432Node \CLSID\\ 13427c8-fe 10-42 00-a003-20045.28 70668) instance SUCCESS Desired Access: Notly, Dieposttion, REG_OPENED_EXISTING_KEY 
$32.1. "Kenora.ene HMCR\WOWE6432Node\CLSID\\ W3427c8-Se 10-42 10-9a03-2e06528 70658) intance SUCCESS Desired Access. Notity, Disposition: REG_OPENED_EXISTING_KEY 
$32.1 * Kenore.ene HKCU Software \ Microsoft \Windows \Curert Version \Explorer SUCCESS Desired Access. Read/Wrte. Diepostion: REG_OPENED_EXISTING_KEY 
$32.1 * Kenoraexe HKCU SOFTWARE Microsoft Windows \Currert Verson \ Explorer SowComent MenuErtnes SUCCESS Type: REG_BINARY, Length: 100, Data: 4E 34 AA 50 BA IC 33 42 BB BB 5357 73 D4 B4 49 
$221. "Kenora.exe “a4 HKCU Software \Microsoft Windows \Current Version \intemet Settings \ZoneMap \ SUCCESS Desired Access: Read/Write Dispostion: REG_OPENED_EXISTING_KEY 
$321 * Kenora exe oie HKCU SOFTWARE \Micrnsoft \Windows \Currert Version \intemet Settings \ZoneMap \ProxyOyoaes SUCCESS Type: REG_DWORD, Length: 4. Data: 1 
$321" Kenora.ene “a4 HECU\SOFTWARE Microsoft \ Windows \Current Version internet Settings \Zone Map \ietranet Name SUCCESS Type: REG_OWORD, Length 4, Data: 1 
$32.1" Kenore.exe a4 HECU\SOFTWARE Microsoft \ Windows Current Version \intemet Setlings \Zone Map \UNCAsintranet SUCCESS Type: REG_DWORD, Length: 4, Data: 1 
$32:1 * Kenora.exs 2084 HECU\SOFTWARE Microsoft Windows \Current Version \intemet Settings \Zone Map \Auto Detect SUCCESS Type: REG_DWORD, Length 4, Data: 0 
$321 * Kenora.exe suns HECU\SOFTWARE Microsoft Windows \O.srert Version \intemet Settings \Zone Map \Proxy8ypecs SUCCESS Type: REG_DWORD, Length: 4, Data: 1 
$321. * “4 HECUNSOFTWARE \Microsoft'\ Windows \CLerert Version internet Settings Zone Map \irtranet Name SUCCESS Type: REG_DWORD, Length: 4. Data: 

. “0a4 HECUNSOFTWARE \Micensoft’\ Windows \Crrent Version \intemet Settings \ZoneMap WNC Aaletranet Data: 1 
. 4 HRICU\ SOFTWARE \Microsoft \ Windows \Current Version \intemet \Zone Map \Auto Detect 0 





4- Finally run the Autoruns tool to check all of the persistence locations. 


File Entry Options User Help 





aaa axs Fite: [ 


© Everything sth Logon Explorer @ Internet Explorer (4) Scheduled Tasks @% Services 4 Drivers [EJ] codecs [| Boot Execute [FE] Image Hijacks |%) Appinit [%) KnownDLLs {@ Winlogon @ wir 





Autorun Entry Description Publisher Image Path Timestamp Virus Total 
ay HKLM\SYSTEM\CurrentControl Set \Control\Safe Boot \Altemate Shell 7/16/2016 1:48 PM 
cmd.exe Windows Command Processor (Verified) Microsoft Windows c:\windows'\system32\cmd.exe 7/16/2016 4:23 AM 
ay HKLM\SOFTWARE\Microsoft\Windows\Current Version \\Run 4/27/2020 11:04 PM 
M vn] VMware User Process § VMware Tools Core Service (Verified) VMware, Inc. c:\program files \vmware \vmware tool... 3/22/2018 11:23 AM 
ay HKCU\SOFTWARE\Microsoft\\ Windows \Current Version \\Run 5/18/2020 9:31 PM 
M dm OneDrive Microsoft OneDrive (Verified) Microsoft Corporation c:\users\securemisr\appdata\local\... 4/6/2016 5:07 AM 
|  * Synaptics Pointing Devi... Synaptics Pointing Device Driver (Not verified) Synaptics c:\programdata\synaptics \synaptics.... 6/20/1992 12:22 AM 
ay HKLM\SOFTWARE\Microsoft\Active Setup \Installed Components 7/16/2016 1:48 PM 
M [a] n/a Microsoft .NET IE SECURITY REGIS... (Verified) Microsoft Corporation c:\windows\system32\mscories dll 5/19/2016 4:48 AM 
ay HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup \Installed Components 7/16/2016 1:48 PM 
M [a] n/a Microsoft .NET IE SECURITY REGIS... (Verified) Microsoft Corporation c:\windows\syswow64\mscores.dll 5/19/2016 5:19 AM 
‘Sy Task Scheduler 
[a=] \Microsoft\Windows\Up... UpdateAssistant (Verified) Microsoft Comoration c:\windows\updateassistant\update... 4/17/1917 9:31 PM 
M] [iE] \Microsoft\Windows\Up... UpdateAssistant (Verfied) Microsoft Corporation c:\windows\updateassistant\update... 4/17/1917 9:31 PM 
M] [E] \Microsoft\Windows\Up... UpdateAssistant (Verified) Microsoft Corporation c:\windows\updateassistant\update... 4/17/1917 9:31 PM 
©] [E] \Microsoft\Windows\Up... UpdateAssistant (Verified) Microsoft Corporation c:\windows\updateassistant\update... 4/17/1917 9:31 PM 
[a=] \Microsoft\Windows\Wi... Microsoft Malware Protection Comma... (Verified) Microsoft Corporation c:\program files \windows defender\m... 10/9/2017 3:49 AM 
M1 [iE] \Microsoft\Windows\Wi... Microsoft Malware Protection Comma... (Verified) Microsoft Corporation c:\program files \windows defender\m... 10/9/2017 3:49 AM 
M1 [E] \Microsoft\Windows\Wi... Microsoft Malware Protection Comma... (Verified) Microsoft Corporation c:\program files \windows defender\m... 10/9/2017 3:49 AM 
M1 [E] \Microsoft\Windows\Wi... Microsoft Malware Protection Comma... (Verified) Microsoft Corporation c:\program files \windows defender\m... 10/9/2017 3:49 AM 


a. 


the tool has detected the UNSIGNED Value (red highlighted), feel free 
to navigate the rest of Tabs. 


NOW revert to the clean snapshot 


19 
Mostafa Yahia 


E-Mail: Mostafayahia753 @gmail.com 
LinkedIn: https://www.linkedin.com/in/mostafa-yahia-701b4b15a/ 


